Avatar
I am Prateek Gianchandani. I have interests in Reverse Engineering, Mobile and Browser Security, and i am the founder of 8ksec. I hope you enjoy the content in this Blog.

iOS Application Security Part 49 - Runtime Patching with Frida

security
Published on 24 Jul 2018

In the previous article, we looked at Frida APIs and some examples of how to hook into methods, log the arguments, find the return value etc. In this article, we will look at how we can use Frida to do runtime patching of the application. Specifically, we will solve the following 2 challenges in DVIA-v2. You can download the Swift version of the app from damnvulnerableiosapp.com. An app can still have some sections in Objective-C which can be swizzled and this is what we will be taking advantage of in this article.

  1. Jailbreak Detection Bypass (Jailbreak Detection -> Jailbreak Test 2)
  2. Login Bypass (Runtime Manipulation -> Login Method 1)

Let’s attach to the application first.

1

A quick reverse and subsequent trace of the application shows the method that is of interest. Since this method is Objective-C it can be swizzled.

2

Let’s use the following code to log the return value.

	var classname = "JailbreakDetection";
	var methodname= "isJailbroken";
	var hook = ObjC.classes[classname][methodname];
	Interceptor.attach(hook.implementation, {
	  onLeave: function(retvalue) {
	    // args[0] is self
	    // args[1] is selector 
	    // args[2] is the return value
	    console.log("\nReturnValue:"
	        + retvalue + "\"]");
	  }
	});

3

As we can see, the return value is 1, which means the device is detected as jailbroken. Our task is to bypass this check. So we need to make the return value as 1.

4

We can do so with the following script. And let’s also throw an if condition to check if the Objective C runtime is available.

		if (ObjC.available){
		var classname = "JailbreakDetection";
		var methodname= "isJailbroken";
		var hook = ObjC.classes[classname][methodname];
		Interceptor.attach(hook.implementation, {
		  onLeave: function(retvalue) {
		    // args[0] is self
		    // args[1] is selector 
		    // args[2] is the return value
			newretvalue = ptr("0x0");
			retvalue.replace(newretvalue);
		    console.log("\nNewReturnValue:"
		        + retvalue + "\"]");
		  }
		});
		}

And as we can see, now the device is detected as Not Jailbroken.

6 7

Let’s use the exact same technique to bypass the challenge for Login Bypass (Runtime Manipulation -> Login Method 1)

	
	if (ObjC.available){
	var classname = "LoginValidate";
	var methodname= "isLoginValidated";
	var hook = ObjC.classes[classname][methodname];
	Interceptor.attach(hook.implementation, {
	  onLeave: function(retvalue) {
	    // args[0] is self
	    // args[1] is selector 
	    // args[2] is the return value
		newretvalue = ptr("0x1");
		retvalue.replace(newretvalue);
	    console.log("\nNewReturnValue:"
	        + retvalue + "\"]");
	  }
	});
	}

8
9

In the next article, we will look at some more examples of Frida.

8KSec Services

If you are interested in any kind of Mobile Security Assessments or Trainings, reach out to us at 8ksec.io.

We also offer the following Trainings, feel free to contact us to get a quote or for more details about the course content.

  1. Offensive Mobile Reversing and Exoloitation
  2. Practical Mobile Application Exploitation
  3. Offensive ARM64 Reversing and Exploitation
  4. Mobile Browser Security
  5. Rust for Offesive and Defensive Security
  6. Offensive iOS Internals
  7. Offensive Android Internals<
  8. Offensive Mobile Malware Analysis
  9. Practical Mobile Forensics
  10. Web3 Security: Exploiting and Defending Decentralized Applications

related posts

all tags

android authentication backtrack burpsuite defcon dns honeypots ios maintaining-access meshnet metasploit networking privacy security timing-analysis-attacks w3af web-application-security